security technology: intrusion detection, access control, and other
TRANSCRIPT
![Page 1: Security Technology: Intrusion Detection, Access Control, and Other](https://reader035.vdocuments.site/reader035/viewer/2022070605/584bb2611a28ab85738d7488/html5/thumbnails/1.jpg)
Security Technology: Intrusion Detection, Access Control and Other Security Tools
Chapter 7
![Page 2: Security Technology: Intrusion Detection, Access Control, and Other](https://reader035.vdocuments.site/reader035/viewer/2022070605/584bb2611a28ab85738d7488/html5/thumbnails/2.jpg)
Intrusion
“Intrusion is a type of attack on information assets in which the instigator attempts to gain entry into a system or disrupt the normal operation of system with, almost always, the intent to do malicious harm.”
![Page 3: Security Technology: Intrusion Detection, Access Control, and Other](https://reader035.vdocuments.site/reader035/viewer/2022070605/584bb2611a28ab85738d7488/html5/thumbnails/3.jpg)
Definitions
Intrusion prevention: activities that deter an intrusion Writing &implementing a good enterprise information security
policy Planning & executing effective information security programs Installing & testing technology-based countermeasures Conducting & measuring the effectiveness
Employee training and awareness activities Intrusion detection: procedures and systems that identify sys
intrusions Intrusion correction:
Activities finalize the restoration of operations to a normal state Activities seek to identify the source & method of attack for
prevention
![Page 4: Security Technology: Intrusion Detection, Access Control, and Other](https://reader035.vdocuments.site/reader035/viewer/2022070605/584bb2611a28ab85738d7488/html5/thumbnails/4.jpg)
Intrusion Detection Systems Commercially available in late 1990 Works like a burglar alarm Detects a violation and sounds alarm Extension – Intrusion prevention systems
Detect and prevent intrusion Generally accepted combination
Intrusion detection and prevention system (IDPS)
![Page 5: Security Technology: Intrusion Detection, Access Control, and Other](https://reader035.vdocuments.site/reader035/viewer/2022070605/584bb2611a28ab85738d7488/html5/thumbnails/5.jpg)
IDPS Terminology
Alarm or alert: indication that attack is happening Evasion: attacker change the format and/or timing of
activities to avoid being detected False attack stimulus: event triggers alarm – no real
attack False negative: failure of IDPS to react to attack False positive: alarm activates in the absence of an actual
attack Noise: alarms events that are accurate but do not pose
threats Site policy: rules & configuration guidelines governing the
implementation & operation of IDPS
![Page 6: Security Technology: Intrusion Detection, Access Control, and Other](https://reader035.vdocuments.site/reader035/viewer/2022070605/584bb2611a28ab85738d7488/html5/thumbnails/6.jpg)
IDPS Terminology
Site policy awareness: ability to dynamically modify config in response to environmental activity
True attack stimulus: event that triggers alarms in event of real attack
Tuning: adjusting an IDPS Confidence value: measure IDPS ability correctly
detect & identify type of attacks Alarm filtering: Classification of IDPS alerts Alarm clustering and compaction: grouping almost
identical alarms happening at close to the same time
![Page 7: Security Technology: Intrusion Detection, Access Control, and Other](https://reader035.vdocuments.site/reader035/viewer/2022070605/584bb2611a28ab85738d7488/html5/thumbnails/7.jpg)
Why Use an IDS
Prevent problem behaviors by increasing the perceived risk of discovery and punishment
Detect attacks and other security violations Detect and deal with preambles to attacks Document existing threat to an
organization Act as quality control for security design &
administration Provide useful information about intrusions
that take place
![Page 8: Security Technology: Intrusion Detection, Access Control, and Other](https://reader035.vdocuments.site/reader035/viewer/2022070605/584bb2611a28ab85738d7488/html5/thumbnails/8.jpg)
Types of IDS Network based
Focused on protection network information assets Wireless Network behavior analysis
Host-based Focused on protection server of host’s information assets
![Page 9: Security Technology: Intrusion Detection, Access Control, and Other](https://reader035.vdocuments.site/reader035/viewer/2022070605/584bb2611a28ab85738d7488/html5/thumbnails/9.jpg)
Network-Based Resides on computer or appliance connected
to an a segment of orgs. network Monitors network traffic on the segment Monitors packets Monitoring port (switched port analysis)
Monitors all ingoing and outgoing traffic Looks for attack patterns Compares measured activity to known
signatures Protocol verification – packet structure Application verification – packet use
![Page 10: Security Technology: Intrusion Detection, Access Control, and Other](https://reader035.vdocuments.site/reader035/viewer/2022070605/584bb2611a28ab85738d7488/html5/thumbnails/10.jpg)
Advantages and DisadvantagesAdvantages
Needs few devices to monitor large network Little or no disruption to normal operations May not be detectable by attackers
Disadvantages Overwhelmed by network volume Requires access to all traffic Cannot analyze encrypted packets Cannot ascertain if an attack was successful Some forms of attack are not easily discerned
Fragmented packetsMalformed packets
![Page 11: Security Technology: Intrusion Detection, Access Control, and Other](https://reader035.vdocuments.site/reader035/viewer/2022070605/584bb2611a28ab85738d7488/html5/thumbnails/11.jpg)
Wireless NIDPS
Monitors and analyzes wireless network traffic Looks for potential problems with the wireless protocols
(layers 2 and 3) Cannot evaluate & diagnose issue with higher level
layers Issues associated with implementation
Physical security Sensor range Access point and wireless switch locations Wired network connections Cost
![Page 12: Security Technology: Intrusion Detection, Access Control, and Other](https://reader035.vdocuments.site/reader035/viewer/2022070605/584bb2611a28ab85738d7488/html5/thumbnails/12.jpg)
Wireless NIDPS
Can detect conditions in addition to traditional types of IDSPS Unauthorized WLAN and WLAN devices Poorly secured WLAN devices Unusual usage patterns The use of wireless network scanners DoS attacks and condition Man-in-middle attacks
Unable to detect Passive wireless protocol attacks Susceptible to evasion techniques Susceptible to logical and physical attacks on wireless access
point
![Page 13: Security Technology: Intrusion Detection, Access Control, and Other](https://reader035.vdocuments.site/reader035/viewer/2022070605/584bb2611a28ab85738d7488/html5/thumbnails/13.jpg)
Host-Based Resides on a particular computer or server & monitors
traffic only on that system Also known as system integrity verifiers Works on principle of configuration and change
management Classifies files in categories & applies various
notification actions based on rules Maintains own log file Can monitor multiple computers simultaneously
![Page 14: Security Technology: Intrusion Detection, Access Control, and Other](https://reader035.vdocuments.site/reader035/viewer/2022070605/584bb2611a28ab85738d7488/html5/thumbnails/14.jpg)
Advantages Reliable Can detect local events Operates on host system where encrypted files already
decrypted and available Use of switched network protocols does not affect Can detect inconsistencies in how application and system
programs were used
![Page 15: Security Technology: Intrusion Detection, Access Control, and Other](https://reader035.vdocuments.site/reader035/viewer/2022070605/584bb2611a28ab85738d7488/html5/thumbnails/15.jpg)
Disadvantages
Pose more management issues Configured and maintained on each host
Vulnerable both to direct attacks and attacks against the host operating system
Not optimized to detect multi-host scanning
![Page 16: Security Technology: Intrusion Detection, Access Control, and Other](https://reader035.vdocuments.site/reader035/viewer/2022070605/584bb2611a28ab85738d7488/html5/thumbnails/16.jpg)
Disadvantages
Not able to detect scanning of non-host devices (routers and switches)
Susceptible to Denial of Service attacksCan use large amounts of disk space – audit
logsCan inflict a performance overhead on host
systems
![Page 17: Security Technology: Intrusion Detection, Access Control, and Other](https://reader035.vdocuments.site/reader035/viewer/2022070605/584bb2611a28ab85738d7488/html5/thumbnails/17.jpg)
Application Based
Examines application for abnormal events Looks for files created by application Anomalous occurrences – user exceeding authorization
Tracks interaction between users and applications
Able to tract specific activity back to individual user
Able to view encrypted data Can examine encryption/decryption
process
![Page 18: Security Technology: Intrusion Detection, Access Control, and Other](https://reader035.vdocuments.site/reader035/viewer/2022070605/584bb2611a28ab85738d7488/html5/thumbnails/18.jpg)
Advantages & Disadvantages Advantages
Aware of specific users Able to operate on encrypted data
Disadvantages More susceptible to attack Less capable of detecting software tampering
![Page 19: Security Technology: Intrusion Detection, Access Control, and Other](https://reader035.vdocuments.site/reader035/viewer/2022070605/584bb2611a28ab85738d7488/html5/thumbnails/19.jpg)
IDS Methodologies
Types determined by where placed for monitoring purposes
IDS methodologies based on detection methods Two dominate methodologies
Signature-based (knowledge-based) Statistical-anomaly approach
![Page 20: Security Technology: Intrusion Detection, Access Control, and Other](https://reader035.vdocuments.site/reader035/viewer/2022070605/584bb2611a28ab85738d7488/html5/thumbnails/20.jpg)
Signature Based
Examines data traffic in search of patterns that match known signature Foot printing and fingerprinting activities Specific attack sequences DOS
Widely used Signature database must be continually updated Attack time-frame sometimes problematic
Slow and methodical may slip through
![Page 21: Security Technology: Intrusion Detection, Access Control, and Other](https://reader035.vdocuments.site/reader035/viewer/2022070605/584bb2611a28ab85738d7488/html5/thumbnails/21.jpg)
Statistical Anomaly Based
Based on frequency on which network activities take place
Collect statistical summaries of “normal” traffic to form baseline
Measure current traffic against baseline Traffic outside baseline will generate alert Can detect new type of attacks Requires much more overhead and processing
capacity May not detect minor changes to baseline
![Page 22: Security Technology: Intrusion Detection, Access Control, and Other](https://reader035.vdocuments.site/reader035/viewer/2022070605/584bb2611a28ab85738d7488/html5/thumbnails/22.jpg)
Log file Monitors
Similar to NIDS Reviews logs Looks for patterns & signatures in log files Able to look at multiple log files from different
systems Large storage requirement
![Page 23: Security Technology: Intrusion Detection, Access Control, and Other](https://reader035.vdocuments.site/reader035/viewer/2022070605/584bb2611a28ab85738d7488/html5/thumbnails/23.jpg)
Responses to IDS
Vary according to organization policy, objectives, and system capabilities
Administrator must be careful not to increase the problem
Responses active or passive
![Page 24: Security Technology: Intrusion Detection, Access Control, and Other](https://reader035.vdocuments.site/reader035/viewer/2022070605/584bb2611a28ab85738d7488/html5/thumbnails/24.jpg)
Which One?
Consider system environment Technical specification of systems environment Technical specification of current security protections Goals of enterprise Formality of system environment and management culture
![Page 25: Security Technology: Intrusion Detection, Access Control, and Other](https://reader035.vdocuments.site/reader035/viewer/2022070605/584bb2611a28ab85738d7488/html5/thumbnails/25.jpg)
Which One?
Consider Security Goals and Objectives Protecting from threats out organization? Protecting against inside? Use output of IDS to determine new hardware/software
needs Maintain managerial over one-security related network
usage
![Page 26: Security Technology: Intrusion Detection, Access Control, and Other](https://reader035.vdocuments.site/reader035/viewer/2022070605/584bb2611a28ab85738d7488/html5/thumbnails/26.jpg)
Which One?
Security policy Structure Job descriptions of system user Include reasonable use policy What are you going to do if violation occurs
![Page 27: Security Technology: Intrusion Detection, Access Control, and Other](https://reader035.vdocuments.site/reader035/viewer/2022070605/584bb2611a28ab85738d7488/html5/thumbnails/27.jpg)
Which One?
Organization Requirements and Constraints? Outside Requirements Resource Constraints
Features and Quality Tested Product User Level of Expertise Product Support
![Page 28: Security Technology: Intrusion Detection, Access Control, and Other](https://reader035.vdocuments.site/reader035/viewer/2022070605/584bb2611a28ab85738d7488/html5/thumbnails/28.jpg)
Strengths of IDS
Monitoring & analysis of system events & user behaviors Testing security states of system configuration Base lining security state of the system & track changes
to baseline Pattern recognition Auditing and logging Alerting Measuring performance
![Page 29: Security Technology: Intrusion Detection, Access Control, and Other](https://reader035.vdocuments.site/reader035/viewer/2022070605/584bb2611a28ab85738d7488/html5/thumbnails/29.jpg)
Limitations of IDS
Compensate for weak or missing security mechanisms Instantly report or detect during heavy operations Detect newly published attacks Effectively respond to sophisticated attackers Automatic investigate Keep attacks from circumventing them Deal effectively with switched networks
![Page 30: Security Technology: Intrusion Detection, Access Control, and Other](https://reader035.vdocuments.site/reader035/viewer/2022070605/584bb2611a28ab85738d7488/html5/thumbnails/30.jpg)
Control Strategies
Centralized Partially distributed Fully distributed
![Page 31: Security Technology: Intrusion Detection, Access Control, and Other](https://reader035.vdocuments.site/reader035/viewer/2022070605/584bb2611a28ab85738d7488/html5/thumbnails/31.jpg)
Centralized
All IDS control functions are implemented and managed in a centralized location
1 management system Advantages
Cost and control Specialization
Disadvantage
![Page 32: Security Technology: Intrusion Detection, Access Control, and Other](https://reader035.vdocuments.site/reader035/viewer/2022070605/584bb2611a28ab85738d7488/html5/thumbnails/32.jpg)
Fully Distributed
Opposite of centralized All control functions applied at the physical location
of each IDS component Each sensor/agent is best configured to deal with its
own environment Reaction to attacks sped up
![Page 33: Security Technology: Intrusion Detection, Access Control, and Other](https://reader035.vdocuments.site/reader035/viewer/2022070605/584bb2611a28ab85738d7488/html5/thumbnails/33.jpg)
Partially Distributed Control
Individual agents respond to local threats Report to a hierarchical central facility One of the more effective methods
![Page 34: Security Technology: Intrusion Detection, Access Control, and Other](https://reader035.vdocuments.site/reader035/viewer/2022070605/584bb2611a28ab85738d7488/html5/thumbnails/34.jpg)
Honey Pots / Honey Nets / Padded Cell Systems
Honey Pots Decoy systems Lure potential attackers away from critical systems Encourages attacks against themselves
Honey Net Collection of honey pots Connects honey pots on a subnet Contains pseudo-services the emulated well-known services Filled with factious information
![Page 35: Security Technology: Intrusion Detection, Access Control, and Other](https://reader035.vdocuments.site/reader035/viewer/2022070605/584bb2611a28ab85738d7488/html5/thumbnails/35.jpg)
Honey Pots / Honey Nets / Padded Cell Systems
Padded Cell Protected honey pot IDS detects attacks and transfers to simulated environment Monitors action of attacker
![Page 36: Security Technology: Intrusion Detection, Access Control, and Other](https://reader035.vdocuments.site/reader035/viewer/2022070605/584bb2611a28ab85738d7488/html5/thumbnails/36.jpg)
Trap and Trace Systems
Detect intrusion and trace incident back Consist of honey pot or padded cell & alarm Similar to concept of caller ID Back-hack
Considered unethical Legal drawbacks to trap and trace
Enticement and entrapment
![Page 37: Security Technology: Intrusion Detection, Access Control, and Other](https://reader035.vdocuments.site/reader035/viewer/2022070605/584bb2611a28ab85738d7488/html5/thumbnails/37.jpg)
Scanning and Analysis Tools Help find vulnerabilities in system, holes in security
components, and unsecure aspects of the network Allow system admin to see what the attacker sees May run into problems with ISP Port scanners – what is active on computer Firewall analysis tools Operating system detection tools Vulnerability scanners Packet sniffers
![Page 38: Security Technology: Intrusion Detection, Access Control, and Other](https://reader035.vdocuments.site/reader035/viewer/2022070605/584bb2611a28ab85738d7488/html5/thumbnails/38.jpg)
Access Control Tools
Authentication – validation of users identity 4 general ways carried out
What he knows What he has Who he is What he produces